I haven't done more then look at the screen shots for it, but the "personal firewall" (eg: iptables frontend) that comes with RH9 looks to be default deny for most incoming traffic while providing a nice (read: graphical and straightforward) way to punch essential holes through it as needed. (and only as needed)
Don't get me wrong, I like powerful CLI interfaces to my firewall as much as the next fellow, but it is fairly easy to make a mistake that can leave you vulnerable. For the common cases, I think it makes a lot of sense to provide a dead simple way to configure it. I recall seeing a firewall.sh script in init.d, but it was plastered with warnings not to actually use it, so I didn't ;) Anyone know if more work has been done in this area? On Wed, 2003-09-24 at 18:01, Michael Stone wrote: > On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote: > >Basically, I think that "security levels" don't gain you anything over > >"don't install the package". > > Until installing a package has the side effect of installing a network > service. Having a default-deny-incoming firewall or some such would go a > long way toward preventing accidental vulnerability exposure. > > Mike Stone >
